secure your wordpress
DESCRIPTION
null Bangalore Bachaav Workshop - November 2013TRANSCRIPT
Secure Wordpress
Bachaav SessionA Null Community Initiative
30 – Nov - 2013
Agenda
• Understand• How to Setup• Security Configuration
Agenda
• Understand– How Wordpress Works– File and Folder Co-relations
• How to Setup• Security Configuration
Demo Setup• VirtualBox VM
– NAT interface for Internet Access– Hostonly connection for normal testing– sudo ifconfig => get the IP Address
• Various URL
– http://IP/wordpress– http://IP/phpmyadmin
• Credentials
– Username:wordpress– Password:wordpress
How Wordpress Works● Index.php
– Define WP_USE_THEMES
– include(wp-blog-header.php)
● Wp-blog-header– include(wp-config.php) -> db and other constants
– include(wp-settings.php) ● lots and lots of includes● Plugins from PLUGIN_DIR● Pluggable_functions loaded (can be overridden by plugins)
– Path Declaration
– Query Parsing and assignment
– HTTP Headers
– Request Parsing
– Template Redirections
– Theme● Header● Loop● Widget / Sidebar● Footer
Reference : http://codex.wordpress.org/User:DavidHouse/Wordpress_Code_Flow
File and Folders Co-relations
● wp-config.php● wp-settings.php● index.php● .htaccess● /wp-admin/● /wp-content
– /plugins
– /themes
● /wp-includes
Agenda
• Understand • How to Setup
– Setup over FTP / SSH– Setup via SVN
• Security Configuration
Setup
• Shared hosting– Use Hosting Control Panel– Upload Via FTP and run install.php
• VPS / Dedicated / Cloud Server
– Upload via ssh / ftp– Sync via SVN
Wordpress Setup
Agenda
• Understand • How to Setup• Security Configuration
– Basic Server hardening– Understanding attack vectors– Implement Protections
Base Server Hardening
• This session is wordpress focused so we will not cover about server hardening in details
Core Level Attacks
● Present Unpatched Issues– Full Path Disclosures
– Enumeration Issues● Username ● Attachment ● Plugins● Themes
– Account Bruteforce
– Version disclosure and Multiple places
● Previously exploited issues– XMLRPC based SSRF attack
– D-DoS and more
Other Attacks
● Plugin / Theme using old Files● Vulnerable Code in Core● Vulnerable Code in Plugin / Themes● Permission and Access Issues
How to Defend
● Core Modifications is not recommended as every upgrade modifies core files.
● Implement Custom HTACCESS based restrictions
● Implement Hook / function override via custom theme templates
● Even theme modification is a absolute no – no as new update will override it.
HTACCESS
● Redirections– RewriteCond %{REQUEST_URI} robots.txt
– RewriteRule ^abracadabra/ http://google.com [R=301,L]
● Custom Directives– DirectoryIndex index.html
– ServerSignature Off
– Header unset Etag
Theme modification the right way● Child Theme folder : all files picked first from this and then from parent● style.css
/*
– Theme Name: Anantshri
– Theme URI: http://www.anantshri.info/
– Description: Child theme for the twenty twelve
– Author: Anant Shrivastava
– Author URI: http://anantshri.info/about/
– Template: twentytwelve
– Version: 0.1.0
– */
– @import url("../twentytwelve/style.css");
● functions.php : Can be used to provide all function overrides– remove_action( 'widgets_init', 'xyz_widgets_init' );
– add_action( 'widgets_init', 'abc_widgets_init' );
User / Attachment Enumeration
● Index.php?author=1– Redirects to /author/<username>
● Index.php?attachment=1– Redirects to Individual Attachment URL
Plugin / Theme Enumeration
● How it is identified– Predictable URL : wp-content/plugin , themes
– Predictable file : readme.txt and plugin specific assets(js or css)
Account Bruteforce / Enumeration
● Possible to Enumerate Accounts due to different Error Messages
More Issues
● Full Path Disclosures
display_error : Off (php.ini)
● ClickJacking protection ● swf and timthumb related attacks● Issues related to wp-includes folder● Comment Spam● Dangerous Methods (PUT and more)● XMLRPC issues● Automated scanners● Wordpress header code
Plus a lot more
● This should help us in getting started and since you are now aware of various functions and ways to control them its an open playground now.